Trust

Security at Staffing Referrals.

We process contact and work-history information on behalf of staffing agencies. This page covers what we store, how it's protected, and what we'll put in writing for your security review.

Last updated: July 1, 2026

The data we handle

Non-sensitive personal information. Nothing more.

Staffing Referrals is referral-program software for staffing agencies. For personal information processed in the platform, the agency is the data controller and Staffing Referrals is the data processor. It covers ambassadors, candidates and applicants, and the agency's own recruiters and staff. Data is stored in the United States.

What the platform stores

  • Contact information: names, email addresses, phone numbers, mailing addresses
  • Professional information: work history, skills, job preferences
  • Referral and application activity inside the platform

What we do not store

  • Social Security numbers
  • Driver's license or state ID numbers
  • Financial, payment-card, bank, or tax information
  • Background-check data
  • Protected health information (PHI)

Live data is retained for the duration of the customer engagement and deleted or returned on termination, per the customer agreement. Database backups expire on a rolling one-week cycle.

How it's protected

Documented controls, stated plainly.

Everything below comes from our written policy set. If something you need isn't listed, ask us rather than assume.

01 · Encryption

In transit and at rest

TLS 1.2 or higher in transit. AES-256 at rest. Sensitive fields carry an additional application-level encryption layer managed by Staffing Referrals.

02 · Access control

Least privilege, MFA

Unique individual accounts with role-based, least-privilege access. Our Access Control Policy requires MFA on administrative systems, including Google Workspace, Heroku, AWS, and Cloudflare. Access reviewed at least annually and removed promptly at separation.

03 · Infrastructure

Cloud-native, US-hosted

The application runs on Heroku. Data lives in AWS RDS PostgreSQL (us-east-1, Multi-AZ) with automated failover. Staging and production run in separate AWS accounts. No offices, no on-premises servers.

04 · Network edge

WAF in front of everything

A Cloudflare web application firewall sits in front of all application traffic, with DDoS protection and bot mitigation.

05 · Development

Reviewed, scanned, auditable

Static analysis (Brakeman) runs on every change and blocks the merge until findings are resolved. Peer code review on every change. Deployments are controlled and auditable, and production code can't be edited by hand.

06 · Monitoring

Alerts and scanning

Sentry, Scout, AWS CloudWatch, Cloudflare health checks, and the Google Workspace alert center route alerts to the engineering team. Intruder scans the production environment for vulnerabilities.

07 · Continuity

Backups and recovery

Daily database backups with one-week retention, plus 5-minute transaction-log point-in-time recovery. Recovery objectives: 2-hour RTO, 30-minute RPO.

08 · Incidents

A written response plan

A documented Incident Response Plan covers detection, containment, and recovery. If a confirmed incident involves customer data, we notify affected customers without undue delay, per our contractual obligations.

People are part of the control set. Personnel sign confidentiality agreements at hire, complete security awareness training required under our HR Security Policy, and lose access promptly when they leave.

Subprocessors

Who touches customer data.

These providers support delivery of the service and may process customer data, each under contractual confidentiality and security obligations.

SubprocessorWhat it does
Amazon Web ServicesDatabase (RDS PostgreSQL), search (OpenSearch), and storage, hosted in the US (us-east-1).
HerokuApplication hosting (web and worker compute) and Redis. United States.
CloudflareWeb application firewall, DDoS protection, and edge content delivery.
SendGridTransactional and system email delivery.
MetabaseBusiness intelligence and internal analytics over the production database.
TextUsSMS messaging, where a customer has texting enabled.

A new vendor that would access customer data is evaluated for its security and privacy posture before it is authorized. Operational vendors such as GitHub Enterprise, Google Workspace, Slack, Chargebee, and HubSpot support internal operations with limited or no access to customer personal data.

The policy set

Written down, versioned, reviewed.

Staffing Referrals maintains a documented security policy set, owned by engineering leadership and reviewed at least annually. The full documents are provided to customers for security assessment under NDA.

Core policies

  • Information Security Policy
  • Access Control Policy
  • Risk and Vulnerability Management Policy
  • Incident Response Plan
  • Business Continuity Plan
  • SDLC and Change Management Policy
  • Data Retention and Classification Policy
  • Third-Party Vendor Risk Management Policy

Supporting policies and documents

  • HR Security Policy
  • Privacy Policy (platform)
  • Asset Management Policy
  • Mobile Device Policy
  • Removable Media Policy
  • Network and Data Flow Diagram
  • Penetration Testing and Vulnerability Management Statement
Vendor review

Working with your security team.

What we provide

  • Security questionnairesWe complete customer security questionnaires and vendor security assessments as part of enterprise onboarding.
  • Data processing agreementWe enter into data processing agreements with customers. A DPA is available on request.
  • Policy documentationThe full policy set listed above is available under NDA.
  • InsuranceStaffing Referrals carries cyber and technology errors and omissions insurance. A certificate of insurance is available on request.

Contact

For security questions, documentation requests, or to report a security concern:

success@staffingreferrals.com

For how this website handles visitor data, see the website privacy policy.

Bring your security team. We'll bring the documentation.

Book a walkthrough →